Ledger Customers Face New Phishing Risks After Third-Party Data Exposure

The French crypto hardware company Ledger has confirmed that customer data was exposed following a security incident at Global-e, the ecommerce platform it relies on to process international orders. While no wallets or funds were compromised, the breach underscores a familiar weakness in the digital economy: even security-focused firms can be undermined by vulnerabilities in their supply chain.

According to Ledger, unauthorized access to a Global-e cloud system allowed attackers to obtain basic customer information, including names, contact details, and order data such as purchased products and prices. The company emphasized that sensitive elements such as passwords, payment details, private keys, or the 24-word recovery phrases that protect Ledger wallets were not affected. “There is no impact on financial data or cryptocurrencies,” Ledger said, seeking to reassure users alarmed by the news.

Global-e, which supports cross-border ecommerce by enabling purchases in local currencies, began notifying affected customers on January 5. In its communication, the company stressed that it does not store highly sensitive data like government identification because such information is not required for order fulfillment. Still, it warned that the exposed contact details could be exploited in targeted phishing campaigns, a risk that has already begun to materialize.

Cybersecurity researcher NanoBaiter shared an early example of a scam email circulating shortly after the breach. The message, posing as a legitimate update from “Katie at E-Global,” encouraged recipients to click a link to learn about supposed improvements to Ledger device security. The email was addressed generically to “Ledger User,” a common red flag in phishing attempts, but one that can still be effective when combined with accurate order-related details.

Both Ledger and Global-e urged customers to treat any unsolicited communication with caution. Global-e advised users to be alert to suspicious emails, calls, texts, or instant messages referencing online orders, and reminded them that neither company will ever request personal information by phone or text. Ledger went further, warning customers to be “extremely suspicious” of any unexpected physical deliveries, including so-called replacement devices. “Ledger will never send physical items or ask you to scan QR codes, visit websites, or share your 24-word recovery phrase,” the company stated.

The incident may extend beyond Ledger. Global-e acknowledged that “several brands” were affected after attackers accessed shopper order data stored in its systems, although it did not name other clients. This has raised questions for the platform’s extensive customer base, which includes more than 1,000 brands across over 200 markets. High-profile names listed on Global-e’s website range from luxury fashion houses like Burberry and Hugo Boss to global brands such as Adidas, Netflix, and Disney.

For Ledger users, the immediate risk lies less in compromised devices than in social engineering. If a customer were tricked into linking a malicious device or revealing recovery information, criminals could gain full control of their assets. As Ledger noted, funds remain safe “as long as your recovery phrase has not been shared,” a reminder that human error remains the most exploitable vulnerability in crypto security.